When was the last time you manually defragmented your hard drive? Or when did your OS last request that you do so?

Modern desktop OSs have all embraced, in one form or another, self-medicating systems and start-up diagnostics since 2005. One can then ask if this means that you don’t need to defragment your hard drive anymore.

According to a post by Microsoft’s Windows Server Performance Team, defragmenting your hard drive is worthwhile. It allows users to read contiguous blocks of data in one go. This literally means faster drive seek and read times. However, there is a small caveat. No, actually a huge one. Files above 64MB are ignored by the defragmenter, as defragmenting these does not improve performance any. This is a reiteration from an earlier post two years ago by the Storage Team where they stated that due to improvements in NTFS (the journalizing file system used by default since Windows XP), it now takes less time to locate file fragments and is not worth the effort to defragment given the time and computation load for PCs.

64MB seemed rather large a decade or so ago but today’s standard USB sticks—like those literally given away for free at electronics stores when you sign up for their catalogs are 4GB—about 64 times as much as the size used to be. You can probably get some performance improvements when sorting your MP3 collection whose files sizes average about 3MB each. But if you’re looking to sort your PVR recordings from your Windows 7 Media Center then you’re out of luck. The improvements in hard drive speed in the last few decades are so high that even when combined with an older OS, you’ll see marked improvements. Solid State Drives (SSDs) anyone?
That brings us to the reason for this post. We were alerted to reports of some fake hard drive diagnostic applications going around recently. Based on a few searches, the earliest reports were found around the first week of October this year. In the last few days, a rash of unique binaries were foisted onto hapless users who may not be as informed as the readers of this blog now are.

A cursory look at the binaries so far shows that these originated from or communicated with the following IP address ranges (We suggest you start blocking these unless you are already protected by our security products powered by the Trend Micro™ Smart Protection Network™):

62.122.72.0/23

91.200.242.0/23

91.212.127.0/24

91.213.157.0/23

95.169.160.0/19

Check Disk, Hard Drive Diagnostic, HDD Control, HDD Diagnostic, HDD Scan, Quick Defragmenter, Smart Defragmenter, System Defragmenter, Ultra Defragger, Scan Disk, and Win Defrag—these are the current aliases of this piece of scareware that users should be wary of. When tempted to install them, don’t be. These are likewise blocked and flagged as TROJ_FAKEAL.CG.

As mentioned earlier, we saw several unique variants but they all work alike. The one in the picture above is a particular sample from this group. Once the fake drive scan is finished, it will ask for registration and activation.

And then, guess what, you will be presented a “secure and verified” phishing payment screen. Sounds familiar? It should because we just posted an entry last week on how to recognize FAKEAV.

An extra bit of warning, enough versions now come prepackaged with the TDSS rootkit, which we previously reported on as part and parcel of many other bots, including FAKEAV. As proof, we noticed that some of the source IP addresses came up in our monitoring for that specific malware family!

Share this article

This entry was posted
on
Thursday, December 9th, 2010
at
1:17 pm and is filed under
Bad Sites, Malware, Mobile .
Both comments and pings are currently closed.

208.67.216.0/21 is a false positive. That netblock is OpenDNS, which presumably resolved a dead domain name to their ad-supported search page. Are you still listing it in your Smart Protection Network?

The other netblocks are all Eastern European networks.

Jonathan Leopando (Technical Communications)

Hi Andrew,

Thanks for bringing this to our attention. The OpenDNS IP address locations are currently not blocked by our Smart Protection Network, so there is no false positive present.